Security Holes Found In RIM BlackBerry Service

An anonymous reader writes "Researchers have found several security holes in Blackberry handheld devices and the servers that power them, according to a story at Washingtonpost.com. The research points out serious flaws in the BlackBerry server, which could be exploited by convincing Blackberry handheld users to click on an image file attachment. From the article: 'Lindner's slides from his presentation -- which he agreed not to release until RIM has fully fixed this problem -- show that the Blackberry server which manages all of the encryption keys needed to unscramble e-mail traffic to and from all Blackberry devices registered on the network stores them on a Microsoft SQL database server in plain, unencrypted text. Lindner found that by convincing a Blackberry user to click on a special image attachment, that handheld device could be made to pass on malicious code to the Blackberry server, which could then be taken over and used to intercept e-mails or as a staging point for other attacks within the network.'"

Re:How could they let this slip?

I'm not really sure when the change happened, but the SQL server upgrade happened at version 4.0...previously the enterprise server did not use SQL. This is probably the only reason it took so long to find the flaw.

BTW version 4 is causing duplicate calendar and address book entries for lotus notes users (all 800 of our blackberries are showing this bug yah!). We are debating going back to 3.6 as 4.0 only added wireless synch for address and memo dbs for the user. Not that big of a deal to plug it into a pc once in a while vs. getting duplicate entries.